Configuring IPv6 ACLs

When the switch is running the advanced IP services feature set, you can filter IP Version 6 (IPv6) traffic by creating IPv6 access control lists (ACLs) and applying them to interfaces similarly to the way that you create and apply IP Version 4 (IPv4) named ACLs. You can also create and apply input router ACLs to filter Layer 3 management traffic when the switch is running the IP services or IP base feature set. This chapter includes information about configuring IPv6 ACLs on the switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.

Note To use IPv6, you must configure the dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch. You select the template by entering the sdm preferdual-ipv4-and-ipv6 {default | vlan} [desktop] global configuration command.

A switch running the IP services or IP base feature set supports only input router IPv6 ACLs. It does not support port ACLs or output IPv6 router ACLs.

Note If you configure unsupported IPv6 ACLs, an error message appears and the configuration does not take affect.

On a switch running the IP base or IP services features set, if you create or apply an output router ACL or an input port ACL, the ACL is added to the switch configuration but does not take effect; an error message appears. If you want to use the output router ACL or input port ACL, save the switch configuration and enable the advanced IP services feature set, which supports the ACL.

•When an input router ACL and input port ACL exist in an SVI, packets received on ports to which a port ACL is applied are filtered by the port ACL. Routed IP packets received on other ports are filtered by the router ACL. Other packets are not filtered.

•When an output router ACL and input port ACL exist in an SVI, packets received on the ports to which a port ACL is applied are filtered by the port ACL. Outgoing routed IPv6 packets are filtered by the router ACL. Other packets are not filtered.

Note If any port ACL (IPv4, IPv6, or MAC) is applied to an interface, that port ACL is used to filter packets, and any router ACLs attached to the SVI of the port VLAN are ignored.

These sections describe some characteristics of IPv6 ACLs on the switch:

Supported ACL Features

•If the switch runs out of hardware space, packets associated with the ACL are forwarded to the CPU, and the ACLs are applied in software.

•Routed or bridged packets with hop-by-hop options have IPv6 ACLs applied in software.

•Logging is supported for router ACLs, but not for port ACLs.

•The switch supports IPv6 address-matching for a full range of prefix-lengths.

IPv6 ACL Limitations

With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs. IPv6 supports only named ACLs.

The switch supports most Cisco IOS-supported IPv6 ACLs with some exceptions:

•The switch does not support matching on these keywords: flowlabel, routing header, and undetermined-transport.

•The switch does not support reflexive ACLs (the reflect keyword).

•This release supports only port ACLs and router ACLs for IPv6; it does not support VLAN ACLs (VLAN maps).

•The switch does not apply MAC-based ACLs on IPv6 frames.

•You cannot apply IPv6 port ACLs to Layer 2 EtherChannels.

•The switch does not support output port ACLs.

•Output router ACLs and input port ACLs for IPv6 are supported only when the switch is running the advanced IP services feature set. Switches running the IP services or IP base feature set support only input router ACLs for IPv6 management traffic.

•When configuring an ACL, there is no restriction on keywords entered in the ACL, regardless of whether or not they are supported on the platform. When you apply the ACL to an interface that requires hardware forwarding (physical ports or SVIs), the switch checks to determine whether or not the ACL can be supported on the interface. If not, attaching the ACL is rejected.

•If an ACL is applied to an interface and you attempt to add an access control entry (ACE) with an unsupported keyword, the switch does not allow the ACE to be added to the ACL that is currently attached to the interface.

IPv6 ACLs and Switch Stacks

The stack master supports IPv6 ACLs in hardware and distributes the IPv6 ACLs to the stack members.

Note For full IPv6 functionality in a switch stack, all stack members must be running the advanced IP services feature set. Switches running the IP services or IP base feature set support only input router IPv6 ACLs for IPv6 management traffic.

If a new switch takes over as stack master, it distributes the ACL configuration to all stack members. The member switches sync up the configuration distributed by the new stack master and flush out entries that are not required.

When an ACL is modified, attached to, or detached from an interface, the stack master distributes the change to all stack members.

Configuring IPv6 ACLs

Before configuring IPv6 ACLs, you must select one of the dual IPv4 and IPv6 SDM templates.

Default IPv6 ACL Configuration

There are no IPv6 ACLs configured or applied.

Interaction with Other Features and Switches

Configuring IPv6 ACLs has these interactions with other features or switch characteristics:

•If an IPv6 router ACL is configured to deny a packet, the packet is not routed. A copy of the packet is sent to the Internet Control Message Protocol (ICMP) queue to generate an ICMP unreachable message for the frame.

•If a bridged frame is to be dropped due to a port ACL, the frame is not bridged.

•You can create both IPv4 and IPv6 ACLs on a switch or switch stack, and you can apply both IPv4 and IPv6 ACLs to the same interface. Each ACL must have a unique name; an error message appears if you try to use a name that is already configured.

You use different commands to create IPv4 and IPv6 ACLs and to attach IPv4 or IPv6 ACLs to the same Layer 2 or Layer 3 interface. If you use the wrong command to attach an ACL (for example, an IPv4 command to attach an IPv6 ACL), you receive an error message.

•If the hardware memory is full, for any additional configured ACLs, packets are forwarded to the CPU, and the ACLs are applied in software.

•The implementation of IPv6 ACLs on Catalyst 3750-E and 3560-E switches is the same as that on Catalyst 3750 and 3560 switches except for the differences summarized in the Cisco Software Activation and Compatibility Document on Cisco.com.

Creating IPv6 ACLs

Beginning in privileged EXEC mode, follow these steps to create an IPv6 ACL:

Enter deny or permit to specify whether to deny or permit the packet if conditions are matched. These are the conditions:

•For protocol, enter the name or number of an Internet protocol: ahp, esp, icmp, ipv6, pcp, stcp, tcp, or udp, or an integer in the range 0 to 255 representing an IPv6 protocol number.

Note For additional specific parameters for ICMP, TCP, and UDP, see Steps 3b through 3d.

•The source-ipv6-prefix/prefix-length or destination-ipv6-prefix/ prefix-length is the source or destination IPv6 network or class of networks for which to set deny or permit conditions, specified in hexadecimal and using 16-bit values between colons (see RFC 2373).

•Enter any as an abbreviation for the IPv6 prefix ::/0.

•For hostsource-ipv6-address or destination-ipv6-address, enter the source or destination IPv6 host address for which to set deny or permit conditions, specified in hexadecimal using 16-bit values between colons.

If the operator follows the source-ipv6-prefix/prefix-length argument, it must match the source port. If the operator follows the destination-ipv6- prefix/prefix-length argument, it must match the destination port.

•(Optional) The port-number is a decimal number from 0 to 65535 or the name of a TCP or UDP port. You can use TCP port names only when filtering TCP. You can use UDP port names only when filtering UDP.

•(Optional) Enter dscpvalue to match a differentiated services code point value against the traffic class value in the Traffic Class field of each IPv6 packet header. The acceptable range is from 0 to 63.

•(Optional) Enter fragments to check noninitial fragments. This keyword is visible only if the protocol is ipv6.

•(Optional) Enter log to cause an logging message to be sent to the console about the packet that matches the entry. Enter log-input to include the input interface in the log entry. Logging is supported only for router ACLs.

•(Optional) Enter routing to specify that IPv6 packets be routed.

•(Optional) Enter sequencevalue to specify the sequence number for the access list statement. The acceptable range is from 1 to 4294967295.

•(Optional) Enter time-rangename to specify the time range that applies to the deny or permit statement.

Enter udp for the User Datagram Protocol. The UDP parameters are the same as those described for TCP, except that the [operator [port]] port number or name must be a UDP port number or name, and the established parameter is not valid for UDP.

Enter icmp for Internet Control Message Protocol. The ICMP parameters are the same as those described for most IP protocols in Step 3a, with the addition of the ICMP message type and code parameters. These optional keywords have these meanings:

•icmp-type—Enter to filter by ICMP message type, a number from 0 to 255.

•icmp-code—Enter to filter ICMP packets that are filtered by the ICMP message code type, a number from 0 to 255.

•icmp-message—Enter to filter ICMP packets by the ICMP message type name or the ICMP message type and code name. To see a list of ICMP message type names and code names, use the ? key or see command reference for this release.

Step 4

end

Return to privileged EXEC mode.

Step 5

show ipv6 access-list

Verify the access list configuration.

Step 6

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Use the no {deny | permit}IPv6 access-list configuration commands with keywords to remove the deny or permit conditions from the specified access list.

This example configures the IPv6 access list named CISCO. The first deny entry in the list denies all packets that have a destination TCP port number greater than 5000. The second deny entry denies packets that have a source UDP port number less than 5000. The second deny also logs all matches to the console. The first permit entry in the list permits all ICMP packets. The second permit entry in the list permits all other traffic. The second permit entry is necessary because an implicit deny -all condition is at the end of each IPv6 access list.

Switch(config)# ipv6 access-list CISCO

Switch(config-ipv6-acl)# deny tcp any any gt 5000

Switch config-ipv6-acl)# deny ::/0 lt 5000 ::/0 log

Switch(config-ipv6-acl)# permit icmp any any

Switch(config-ipv6-acl)# permit any any

Applying an IPv6 ACL to an Interface

This section describes how to apply IPv6 ACLs to network interfaces. If the switch is running the advanced IP services feature set, you can apply an ACL to outbound or inbound traffic on Layer 3 interfaces, or to inbound traffic on Layer 2 interfaces. If the switch is running the IP services or IP base feature set, you can apply ACLs only to inbound management traffic on Layer 3 interfaces.

Beginning in privileged EXEC mode, follow these steps to control access to an interface: